qa-sast
SAST (static application security testing): 7 skills (bandit-python, codeql-queries, eslint-security-rules, gosec-go, pmd-apex-rules, semgrep-rules, sonarqube-rules) and 1 agent (sast-finding-triager). Every scanner skill includes a mandatory False-positive triage section.
Install this plugin
/plugin install qa-sast@testland-qaPart of role bundle: qa-role-security
qa-sast
SAST (static application security testing). Five per-tool skill wrappers (Semgrep, SonarQube, CodeQL, Bandit, gosec) plus an adversarial unifier agent (sast-finding-triager) that combines multi-scanner output, deduplicates, applies waivers, and emits a single PR-ready verdict.
Every scanner skill includes a ## False-positive triage section with concrete suppression patterns + justification template + review cadence. Security scanners without FP triage become shelf-ware (the team disables it, then forgets).
Components
| Type | Name | Description |
|---|---|---|
| Skill | semgrep-rules | Pattern-DSL multi-language SAST; registry rulesets + custom YAML; semgrep ci with baseline-diff for legacy adoption; SARIF/JSON/GitLab-SAST/JUnit output |
| Skill | sonarqube-rules | Multi-language SAST + Quality Gate platform; new-code-period gating; persistent issue tracking; PR analysis (Developer+); REST API for automation |
| Skill | codeql-queries | Semantic-database SAST with cross-file taint flows; codeql database create/analyze; query packs per language; GitHub Code Scanning native integration |
| Skill | bandit-python | Python-specific SAST; 60+ rules across 7 categories (B1xx-B7xx); two-dimensional severity + confidence filtering; pyproject.toml config |
| Skill | gosec-go | Go-specific SAST; 40+ rules (G101-G602); AST + SSA + taint analysis; integrated with golangci-lint |
| Agent | sast-finding-triager | Adversarial unifier across all 5 sister scanners; deduplicates by (file, line, normalized_cwe); waiver enforcement (expires: + approved_by: + reason: mandatory); refuses pass with unwaived critical findings |
| Skill | eslint-security-rules | ESLint security plugins (eslint-plugin-security + no-unsanitized) as the JS/TS first-party SAST layer. |
| Skill | pmd-apex-rules | PMD Apex security ruleset for Salesforce Apex SAST. |
Install
/plugin marketplace add testland/qa
/plugin install qa-sast@testland-qaSkills
bandit-python
Configures and runs Bandit - Python-specific SAST from the OpenStack security plugin set covering 60+ rule IDs across 7 categories (B1xx misc, B2xx application, B3xx blacklists/cryptography, B4xx imports, B5xx, B6xx injections, B7xx XSS); supports `bandit -r .` recursive scan, `--severity-level low|medium|high`, `--confidence-level low|medium|high` filtering, `# nosec` and `# nosec B404` per-line + per-rule suppressions, `pyproject.toml` `[tool.bandit]` config including `exclude_dirs`. Use when the user works with Python and needs a focused, low-overhead SAST integrated with pre-commit / CI.
codeql-queries
Configures and runs GitHub CodeQL - semantic-database SAST with queries written in the CodeQL declarative query language; supports `codeql database create` (per-language) + `codeql database analyze` with --format=sarif; ships query packs (`codeql/javascript-queries`, `codeql/python-queries`, `codeql/java-queries`, `codeql/go-queries`, etc.); integrates with GitHub Code Scanning via SARIF upload; suppression via inline comment + sarif-filter + Security-tab dismissal. Use when the team uses GitHub-hosted repos and needs deep semantic SAST beyond pattern matching (cross-file taint flows, dataflow analysis).
eslint-security-rules
Configures and runs `eslint-plugin-security` (14 detect-* rules covering injection, path traversal, ReDoS, unsafe buffers, and bidi trojan-source) plus `eslint-plugin-no-unsanitized` (DOM XSS via `innerHTML`, `outerHTML`, `document.write`, `insertAdjacentHTML`) as the JS/TS first-party SAST layer; covers flat config setup, per-rule suppression with justification templates, SARIF output via `@microsoft/eslint-formatter-sarif` for GitHub Code Scanning upload, and CI gating on ESLint exit code 1. Use when the project is JS or TS and needs an in-process security lint pass without a separate SAST server.
gosec-go
Configures and runs gosec - Go-specific SAST covering 40+ rule IDs (G101 hardcoded creds, G104 unhandled errors, G304 file path traversal, G401 weak crypto algorithms, G601 implicit memory aliasing, etc.); supports `gosec ./...` recursive scan via Go AST + SSA analysis with taint tracking; per-line `#nosec G404 -- justification` suppression; output formats `--fmt sarif|json|junit-xml|html|text`; integrates with golangci-lint as a linter. Use when the user works with Go and needs a focused SAST integrated with golangci-lint.
pmd-apex-rules
Runs PMD's built-in Apex security ruleset (`category/apex/security.xml`) against Salesforce Apex source to detect injection, privilege-escalation, cryptographic, and XSS vulnerabilities; configures custom rulesets for regulated-industry Apex codebases; emits SARIF for GitHub Code Scanning upload; integrates `pmd check` as a PR-blocking CI gate. Use when the codebase contains Salesforce Apex and the team needs SAST coverage for ApexSOQLInjection, ApexCRUDViolation, ApexSharingViolations, or the full 10-rule security category.
semgrep-rules
Configures and runs Semgrep - pattern-based SAST across 30+ languages with the Semgrep Registry rulesets (`p/owasp-top-ten`, `p/default`, `auto`) plus custom YAML rules; integrates `semgrep ci` for PR-blocking gates with `--baseline-commit` diff-aware scanning, per-finding inline `nosemgrep` suppressions, `--exclude` / `--include` path filters, output formats (`--json` / `--sarif` / `--gitlab-sast` / `--junit-xml`), and severity filter (INFO/WARNING/ERROR). Use when the user runs Semgrep, asks about pattern rules, or needs a low-friction SAST gate without semantic-DB setup.
sonarqube-rules
Configures and runs SonarQube / SonarCloud - multi-language SAST + Quality Gate platform with built-in Sonar Way rule profiles + custom rule plugins; integrates `sonar-scanner` with `sonar-project.properties` config; supports Quality Gate definitions including new-code-period blocking, branch + PR analysis, and per-issue suppression via `// NOSONAR` comment or `@SuppressWarnings("squid:RULE_ID")` annotation. Use when the user runs SonarQube Community / Developer / Enterprise edition or SonarCloud, or needs a multi-language SAST + code-quality platform with persistent issue tracking.